Cyber Risk Wednesday: Breaking the Info-Sharing Logjam

At the Atlantic Council's Cyber Risk Wednesday, White House cybersecurity czar Michael Daniel said effective cybersecurity information sharing hinges on new relationships between Washington and the private sector.

On the heels of President Obama's executive order to promote information sharing between federal agencies and businesses worried about hackers, the White House cybersecurity czar said the success of that effort relies on forging new ties between Washington and industry.

"We are defining in the next three or four years a lot of these relationships that will operate for the next 50," said Michael Daniel, White House cybersecurity coordinator, at an event on Wednesday at the Washington think tank the Atlantic Council.

Because businesses are the primary drivers of Internet connectivity and innovation, Daniel said improving overall network security requires them to be a vital part of the administration's renewed focus on cybersecurity.

"We can't simply assign the responsibility of cybersecurity to the federal government," he said.

Improving the lines of communication between business and Washington is just one of the many issues around information sharing that policymakers and legislators are chewing over as they debate how to – or whether to at all – support an information sharing bill.

On Wednesday, the Atlantic Council examined many of the outstanding issues surrounding information sharing. Passcode was the exclusive media partner for the event.

Here are some of the big takeaways:

"The government is not always critical in these outcomes."

That's according to Jay Healey, Passcode columnist and director of the Cyber Statecraft Initiative at the Atlantic Council. Mr. Healey pointed out that quality information sharing can and has been taking place without government involvement.

At the Atlantic Council event, which was part of its Cyber Risk Wednesday series, Healey moderated a panel discussion on the topic with Ari Schwartz, White House director for cybersecurity privacy, civil liberties, and policy; Marcus Sachs, Verizon Communication's vice president of national security policy; and Jeff Schmidt; founder of JAS Global Advisors, a technology consulting firm.

Mr. Schwartz said that a key part of the White House goal to encourage more information sharing is to help facilitate more business-to-business sharing. This will also be a way of looping in international businesses to these sharing organizations, he said. "The EO, by it's nature, was meant to be international," he said.

Tech companies need time to make big fixes

More than a year ago, Mr. Schmidt's firm discovered a potentially devastating flaw in Microsoft's operating systems. Because of the nature of the problem – so fundamental that Schmidt said it affected all releases of the operating system back to Windows XP – it took Microsoft 13 months to correct.

So, said Schmidt, before bugs and vulnerabilities are made public (and revealing to bad guys they exist) companies that are faced with patching lots of software need significant time to solve problems. Google recently changed its policy of revealing bugs that it knows about after 90 days – fixed or not. All other companies should follow suit, Schmidt said.

Sharing is a nice thing to want, but a difficult thing to incentivize.

One major obstacle to information sharing is giving companies an economic incentive to share threat information. After all, that intelligence could be valuable on the open market. "This whole thing working out depended on us not being rational actors," noted Schmidt, whose company could have profited handsomely if it decided to sell the Microsoft bug.

"We are going to run out of basic patriots not motivated by money long before we run out of bugs," said Schmidt.

The government could start sharing more – publicly

Lastly, Healey said the government needs to reveal more of what it know about cybersecurity vulnerabilities. Especially when much of the information is already on the Web.